Bugtraq mailing list archives
RE: TXT or HTML? -- IE NEW BUG
From: Rebecca Kastl <rkastl () neohapsis com>
Date: Mon, 30 Jul 2001 01:10:40 -0500 (CDT)
Microsoft's response is valid in many respects, but they do fail to address one specific issue. Some corporate security policies (such as firewall rules, content filters, AUP, SecPol, etc.) expressly prohibit such things as ActiveX, Javascript, and more. Specifically, a Fortune 50 company I recently worked for has such a policy. By embedding jscript code in a *.jpg file, such policies and procedures are circumvented, and MS has helped the "evil hacker" attack another victim because they have so far refused to address the real issue -- ignoring MIME type definitions. --Rebecca Kastl On Sun, 29 Jul 2001, Microsoft Security Response Center wrote:
* If script were included within a .txt, .jpg or other file and hosted on a web site, it could be opened automatically by a page on the site. However, the script would run in the web page's domain, so it would be subject to all the same limitations as script on the page itself. That is, embedding the script within the file wouldn't gain the attacker any capabilities. Scott Culp Security Program Manager Microsoft Security Response Center
Current thread:
- Re: TXT or HTML? -- IE NEW BUG, (continued)
- Re: TXT or HTML? -- IE NEW BUG Magnus Bodin (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Justin Nelson (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Aaron Whiteman (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Justin Nelson (Jul 30)
- Re: TXT or HTML? -- IE NEW BUG Magnus Bodin (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Fred Oliveira (Jul 28)
- Re: TXT or HTML? -- IE NEW BUG Tom Laermans (Jul 29)
- RE: TXT or HTML? -- IE NEW BUG arivanov (Jul 28)
- RE: TXT or HTML? -- IE NEW BUG Daniel Lukasiak (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Trevor O'Donnal (Jul 28)
- RE: TXT or HTML? -- IE NEW BUG Microsoft Security Response Center (Jul 29)
- RE: TXT or HTML? -- IE NEW BUG Rebecca Kastl (Jul 29)
- Re: TXT or HTML? -- IE NEW BUG Oliver Bleutgen (Jul 30)
- RE: TXT or HTML? -- IE NEW BUG Deirdre Warshall (Jul 30)
- Re: TXT or HTML? -- IE NEW BUG Aaron Bentley (Jul 30)
- Re: CGI, PATH_INFO, convenience/security (TXT or HTML? -- IE NEW BUG) Peter W (Jul 31)
- Re: CGI, PATH_INFO, convenience/security (TXT or HTML? -- IE NEW BUG) Marc Slemko (Jul 31)
- Re: CGI, PATH_INFO, convenience/security (TXT or HTML? -- IE NEW BUG) Peter W (Jul 31)